[jboss-as7-dev] Security Domain Config: JASPI vs Classic?
Bill Burke
bburke at redhat.com
Tue Oct 4 11:42:34 EDT 2011
On 10/4/11 11:13 AM, Darran Lofthouse wrote:
> On 10/04/2011 03:29 PM, Bill Burke wrote:
>> Callback handlers would give you a "storage" abstraction driven by any
>> arbitrary interface. We'd implement a different SPI for it
>
> One thing this does change is that the location of any caching based on
> the authentication needs to be moved to a different location and in a
> different context.
>
Ya, the whole caching mechanism of JBoss security APIs are built on the
premise that LoginModules are stateless. This goes to the point I've
made in the past that if you're building your code on top of a flawed
architecture you're going to have flawed code no matter how good of an
engineer you are. Its time to redefine the problem.
In the API/SPI i'm proposing CallbackHandlers are stateful and thus can
decide whether or not to cache information.
For example, it doesn't make sense to reload the user.properties file,
for every single new user (which I believe our code actually does).
Just load it up once and cache it within memory. For LDAP integration,
it does make sense to cache individual user/password combos. An HTTP
based IDP could use Cache-Control protocol to tell the IDP's callback
handler how to cache.
So the caching mechansim really depends on the "security storage
mechanism". The CallbackHandler interface and config I'm proposing
totally abstracts this out.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the jboss-as7-dev
mailing list